HIPAA Guidelines – Why you should not use Skype, Email or Facetime for communicating with your patients

December 14, 2016 | By Ami Tucker

The HIPAA guidelines on telemedicine affect any physician who provides a remote service to patients in their homes or in community centers. Many people mistakenly believe that communicating ePHI at distance is acceptable when the communication is directly between physician and patient.

However, the channel of communication that is used for communicating ePHI at distance is also important if physicians are compliant with the HIPAA guidelines on telemedicine. This element of the HIPAA guidelines on telemedicine is contained within the HIPAA Security Rule and stipulates:

Only authorized users should have access to ePHI.

A system of secure communication should be implemented to protect the integrity of ePHI.

A system of monitoring communications containing ePHI should be implemented to prevent accidental or malicious breaches.

The first bullet point is fine provided that the physician uses “reasonable and appropriate safeguards” to prevent ePHI being disclosed to any unauthorized parties. However, the second bullet point means that unsecure channels of communication such as Skype, Facetime, and email should not be used for communicating ePHI at distance.

Finally, according to the HIPAA guidelines on telemedicine, any system of communicating ePHI at distance must have a system in place so that communications can be monitored and remotely deleted if necessary. The second and third bullet points also relate to ePHI that is stored .

Why You Should Not Use Skype, FaceTime or Email for Telemedicine

When ePHI created by a medical professional or a healthcare organization (covered entity) is stored by a third party, the covered entity is required to have a Business Associate Agreement (BAA) with the party storing the data. This BAA must include methods used by the third party to ensure the protection of the data and provisions for regular auditing of the data’s security.

As copies of communications sent by , Skype or email remain on the service providers´ servers, and contain individually identifiable healthcare information, it would be necessary for the covered entity to have a BAA with (for example) Verizon, Skype or Google in order to be compliant with the HIPAA guidelines on telemedicine.

As (for example) Verizon, Skype and Google will not enter into BAAs with covered entities, the covered entity is liable for any fines or civil action should a breach of ePHI occur due to the third party´s lack of HIPAA-compliant security measures. The covered entity would also likely fail any HIPAA audit they are subject to for failing to conduct a suitable risk assessment – which might also affect the receipt of payments under the Meaningful Use incentive scheme.

Solutions for Communicating ePHI at Distance

Many physicians elect to use a secure messaging solution to comply with the HIPAA guidelines. Secure messaging solutions offer the same speed and convenience as , Skype or email, but comply with the Security Rule in respect of only allowing authorized users to have access to ePHI, implementing a secure channel of communication, and monitoring activity on the secure channel of communication.

These solutions for communicating ePHI at distance work via easy-to-operate apps that most healthcare professionals will be familiar with, as they have a similar interface to commercially available messaging apps. Each authorized user logs into their app using a centrally-issued username and password. They can then communicate with other authorized users within the covered entity´s private communications network.

All communications – including images, videos and documents – are encrypted to make them unreadable and unusable if a message is intercepted over a public Wi-Fi service, and safeguards exist to prevent ePHI from being communicated outside of a covered entity´s private network – either accidentally or maliciously. All activity on the network is monitored by a cloud-based platform to ensure secure messages policies (also part of the HIPAA Security Rule) are adhered to.

Communicating with Patients Using Secure Messaging

In order to communicate with patients, physicians have the option of either authorizing the patient to have temporary access to the network via a secure messaging app, or a secure temporary browser session can be organized using the same platform. In many cases, medical professionals and healthcare organizations have integrated a secure messaging solution into the EHR to eliminate time-consuming patient updates.

Both when communicating with patients using secure messaging and when communicating between medical professionals, secure messaging solutions have the following advantages:

Medical professionals in the community can send and receive ePHI on the go using secure messaging.

Images can be attached to secure messages, which can then be shared to accelerate diagnoses and the administration of treatment.

Communicating ePHI at distance with secure messaging ensures that messages are communicated to the correct recipient, reduces the amount of time that is wasted between sending a message and receiving a reply, and protects the integrity of ePHI in compliance with the HIPAA guidelines on telemedicine.

Some Final Thoughts about the HIPAA Guidelines Communication

Secure messaging solutions were initially developed to facilitate messaging in compliance with HIPAA, but many of the features of secure messaging have resulted in benefits that have enhanced the workflows of physicians’ practices, and increased the standard of healthcare received by patients.

Many practices have been pleasantly surprised at the ease with which the HIPAA guidelines on telemedicine can be complied with, and even more pleasantly surprised at the cost – with there being no need to invest in expensive hardware or complicated software, or drain the practices´s IT resources.

The HIPAA guidelines on telemedicine make it quite clear what measures should be introduced to secure the integrity of ePHI. With there being significant advantages to implementing a secure messaging solution, it is only a question of time before all practices are communicating ePHI at distance with secure messaging.

6 Responses to “HIPAA Guidelines – Why you should not use Skype, Email or Facetime for communicating with your patients”

Thank you for reading our blog! Many of the guidelines and regulations have not yet been tested. We always advise the most conservative measures for clients to protect them under all circumstances. We don’t believe this is an arena to test the boundaries.

We consulted with our compliance consultants and here is what they said about Facetime: “Unless Apple provides a business associate agreement or its online terms specifies a business associate provision, then it should not be used for purposes of communicating PHI. Even if PHI is not communicated, if used in a healthcare setting, then patients or medical files may be visible in the background, which would be considered PHI. However, there is video conferencing software on the market that is HIPAA compliant.”

Why wouldn’t facetime fall into the conduit clause, which would not require a BAA? This is an encrypted end to end communication and there is no access to the ePHI at any point. the same goes for JusTalk.

We spoke to our compliance consultants again and they responded with this information:
HHS has issued guidance on cloud computing, explaining that cloud service providers (CSP) are generally not considered conduits:
“CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.
As explained in previous guidance, the conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission. Any access to PHI by a conduit is only transient in nature. In contrast, a CSP that maintains ePHI for the purpose of storing it will qualify as a business associate, and not a conduit, even if the CSP does not actually view the information, because the entity has more persistent access to the ePHI.
Further, where a CSP provides transmission services for a covered entity or business associate customer, in addition to maintaining ePHI for purposes of processing and/or storing the information, the CSP is still a business associate with respect to such transmission of ePHI. The conduit exception applies where the only services provided to a covered entity or business associate customer are for transmission of ePHI that do not involve any storage of the information other than on a temporary basis incident to the transmission service.”https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html
It can be argued that this service falls under the conduit exception if it merely transmits and is not storing the information in any capacity. However, we have not assessed legal terms or encryption measures for Apple/Face Time so the client will have to make this determination and document its analysis if it decides to use it in the facility.